Startampr: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
'''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine is otherwise an "untouched" | '''startampr''' is a custom suite of [https://en.wikipedia.org/wiki/Bash_%28Unix_shell%29 Bourne Again Shell] scripts developed by KB3VWG and others in the [[44Net mailing list]] Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR [[Gateway]] on boot; and starts an [https://en.wikipedia.org/wiki/IP_in_IP IPENCAP] (or [https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol] number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on [[AMPRNet]]. It is also minimally invasive, in that the machine is otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run '''startampr''' (please assist me in developing an uninstall script, if interested). '''The current versions are 1.0 (no longer developed), and 2.0 Release Candidate 4, released to the [[44Net mailing list]] Community on August 2, 2015 at 7:00 PM UTC. | ||
Revision as of 12:26, 3 August 2015
startampr is a custom suite of Bourne Again Shell scripts developed by KB3VWG and others in the 44Net mailing list Community, that turns a Debian/Ubuntu-based Linux machine into an AMPR Gateway on boot; and starts an IPENCAP (or IP Protocol number four) tunnel. The primary advantage to using this suite is that it executes and enables AMPR RIP44 daemons, munge scripts, interfaces and routing commands in proper boot order; and references them using the command syntax, default command arguments and practices that have become the de facto standard on AMPRNet. It is also minimally invasive, in that the machine is otherwise remains an "untouched" default installation; and can be returned to an OEM Ubuntu installation by simply removing all associated files and uninstalling all packages added when configuring the machine to run startampr (please assist me in developing an uninstall script, if interested). The current versions are 1.0 (no longer developed), and 2.0 Release Candidate 4, released to the 44Net mailing list Community on August 2, 2015 at 7:00 PM UTC.
Detailed Summary
In addition to the first and main script, startampr, other tools included with the official release are: init scripts to execute the file, save the routing table (if using a method that does not automatically save it); and an executable script generator (made using the sed command) that can restore the AMPR routing table (i.e. in the case the administrator flushes the table). The script uses the ipip Linux Kernel module and implements Linux ip routing table's policy-based routing to properly move traffic across the routing plane. It suggested that iptables be used to firewall traffic after verification of a proper installation.
The official release uses rip44d as its RIP44 protocol daemon; but ampr-ripd or Encap.txt with a munge script may be used (instructions by KB9MWR use ampr-ripd). To operate a Gateway on AMPRNet, you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of RIP version 2 protocol, named RIP44 is used. RIP version 2 is not the same as RIP44. rip44d is written in the Perl programming language. ampr-ripd is written in C. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. The developer choose rip44d simply because it was the only daemon available when version 1.0 was developed. The use of any method to add route information to table 44 will work. It should be noted that: startampr was developed around rip44d; and improves on features not included (e.g. reload of routing table upon reboot). The scripts to backup/restore are not needed when using ampr-ripd (but can be developed to provide geographically-local tertiary sources of the AMPR routing table).
NOTE: if you do not wish to compile software, you must use rip44d or Encap.txt with a munge script.
2.0 Security Update
startampr 2.0's code includes a security fix that corrects a routing issue that allows unencapsulated traffic from the tunnel to leak onto the LAN or Public Internet interface in version 1.0 - this only occurs when a AMPRNnet-facing user attempts to connect using invalid source IPs or invalid AMPRNet IP address. In original development of version 1.0, it was considered that this behavior could be valid to reach subnets ran by operators using the option at: Announcing your allocation directly; but do not make their tunnel available on a non-44.0.0.0/8 address.
It is a generally accepted practice on the Internet that network operators source filter their traffic, making BGPed subnets an exception for AMPRNet Gateways (see RFC3013, section 4.3 and 4.4). It is also accepted AMPRNet practice that these operators consider running a tunneled Gateway on any non-AMPRNet IP available for accessibility to/from those running IPENCAP Gateways. It may be useful to also have redundant VLANs on two or more interfaces possessing the same Public IP at two or more borders; and run a script between the AMPR Gateways - using Dynamic DNS to synchronize them, verify if connectivity goes down on either device's tunl0 interface and update the Portal accordingly.
I'm happy and willing to work with any BGP subnet operator who wishes to develop a script to establish an AMPR Gateway for your multi-homed AMPRNet BGPed subnet.
Requirements
- You'll need a Linux computer, which has been added in the Gateways file using the Portal, so that it is known as an AMPRnet Gateway and will receive RIP44 updates from the main Gateway. It will take some time before Amprgw will learn about new gateways.
- The instructions below are currently only for Debian/Ubuntu, but there's nothing Debian-specific - it should work fine on other distributions (if the correct packages used (e.g. wget/curl, The Bourne Again Shell/BASH, sed, ip, chmod, PERL, etc.) Interface names, file and folder locations, file permissions, etc. are edited.
You must first properly install:
- the operating system and network interfaces
- then properly install startampr to enable the tunnel. The tunnel interface must be operational and in 'UP' status before proceeding.
- the RIP44 daemon which receives periodic routing table updates from the AMPRNet routing service, and inserts them in the Linux routing table of your choice (most users use table 44; and the scripts use this value as well). You must verify that you are receiving route information before proceeding.
- boot script to /etc/init/
- (Optional) a script to restore the routing table to /etc/if-ip.d/
Installation of startampr
Install the the script to /usr/local/sbin and sudo chmod ug+x /usr/local/sbin/startampr
After obtaining the correct password from the route announcement and entering it into the properly configured script, install the boot and interface-up scripts (sample init scripts provided).
The additional script /etc/cron.hourly/backup_ampr creates an hourly backup of the AMPR routing table, located in two files at /usr/local/sbin:
- /usr/local/sbin/table44_bak - It is a text file that contains a copy of output from the command: 'ip route get table 44'
- /usr/local/sbin/restore44sh - It contains a copy of table44_bak with the command "ip route add table 44 " appended to each line. backup_ampr gives this file executable permissions to user:root and group:root. Execute this file using the command: sudo ./usr/local/sbin/restore44sh to restore your routing table if the need ever occurs.
You can verify the backup is running by issuing the command: ls -l /usr/local/sbin/restore44sh and ls -l /usr/local/sbin/table44_bak If the machine has been up, the files should be no more than an hour old.
That should be all. Really. The downside of this configuration is that it will take up to 5 minutes for the gateway to receive a routing update and become operational after a reboot. The additional scripts provided store the current routing table in a local file hourly and load it from there when starting up. Thereafter, after every hour of uptime your routing table is backed up at :17 on the hour. This backup can be used if you ever need to execute the ip command to flush table 44.
Installation of dependencies on Debian/Ubuntu
If you use rip44d, install perl, and IO::Socket::Multicast, a Perl module used for receiving the RIP multicast packets
sudo apt-get install perl libio-socket-multicast-perl libio-interface-perl
recommended:
sudo apt-get install traceroute
Installation of dependencies on other distributions
Other distributions should have an easy way to install the required packages too (using yum or a similar program). Please fill in details here, if you know them.
Notes
- startampr documentation uses tunl0 as the tunnel interface (it is the default on RIP44 daemons) and table 44 for those routes. Use the -i <if> and -t <ip table> option to change to another. The command arguments differ between rip44d and ampr-ripd. startampr uses rip44d. See the documentation for the RIP44 programs if decide to use custom interfaces, tables or switch to a routing daemon other than rip44d.
- The script places the routing daemon at /usr/local/sbin/rip44d_<version number> (this assists in preventing inadvertent running of RIP44 Protocol before you have configured startampr.
- The routing rules do not account for rogue traffic containing both an invalid source and destination IP (which the security of the Portal generally prevents). Use iptables to DROP forwarding of all traffic entering tunl0 not matching a source or destination of 44.60.44.0/8. This can be done by adding adding rules to drop forwarding, by default, packets not possessing correct source and destination IPs in the range of 44.0.0.0/8, etc.
- The -a <IP in Portal> is used to remove your routes from the table (which is incorrect, as they are local). startampr places your local routes in a higher routing table, eliminating the need to use the -a argument. This is a good feature for those who are assigned a dynamic IP address from their Internet Service Provider.
- The tunnel interface must be up and configured before rip44d starts up. startampr places this command in the proper location.
- rip44d automatically adds an AMPR route to the Main AMPRNet Gateway on table 44
- The startampr backup script /etc/cron.hourly/backup_ampr is added to a folder that is configured in Ubuntu, by default, to run scripts at :17 after the hour. The Main AMPR Gateway sends an update every five minutes. For advanced instructions on changing this time interval, see the Ubuntu Community cron HowTo.
- A strict assortment of: file permissions, naming conventions and leading characters (e.g. "#!/bin/bash") are required in /etc/init/, /etc/if-up.d/ (used in a script to reload table 44 on boot) and /etc/cron.hourly/. Note that: startampr has properly named those files. If you wish to edit them, please follow the documentation and README for more details.
Support, bug reports and improvements
If you have questions to ask about the usage of this script, please contact the 44Net mailing list.
If you have improvements to the script and wish to submit a patch, please contact KB3VWG on the 44Net mailing list, or via contact details in the Portal. Thank you!
The daemon was written by Lynwood, KB3VWG, and with major contributions from PE1CHL (for implementation of policy-based IP routing), Heikki Hannikainen, OH7LZB (to version 1.0's integration with rip44d), and Marc, LX1DUC (to automate enabling of IP forwarding).
See also
Links
- Alternative installation instructions by KB9MWR
- Alternative installation instructions by Marc, LX1DUC
- [(link to KB3VWG's site here) Detailed Readme and Installation instructions by KB3VWG]